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1 Introduction 


Explicit timing constraints are naturally present 
in real-life systems (transmission delays, response 
time, etc...). Classical models (finite automata, 
Petri nets, etc...) can not express such real-time 
constraints. Since their introduction by Rajeev 
Alur and David Dill in [6, 7], timed automata are 
one of the most studied models for real-time sys- 
tems: in those systems, quantitative properties of 
delays between events can easily be expressed. 
Numerous works have been devoted to the “theo- 
retical” comprehension of timed automata: deter- 
minization [9], minimization [3], power of clocks 
[5, 33], power of €-transitions [15], extensions of 
the model [27, 35, 23, 13], logical characteriza- 
tions [35], etc... have in particular been investi- 
gated. Practical aspects of the model have also 
been considered and several model-checkers are 
now available (HYTECH [31], KRONOS [25], UP- 
PAAL [38]). These model-checkers have been used 
to verify many industrial case studies (see the web 
pages of the tools, given page 13). 


One of the major properties of timed automata is 
probably that reachability properties are decidable 
[7], though timed automata have an infinite num- 
ber of configurations. The core of this result is 
the construction of the so-called region automa- 
ton, which finitely abstract behaviours of timed au- 
tomata in such a way that checking reachability 
in a timed automaton reduces to checking reach- 
ability in a (somewhat larger) finite automaton. 
This construction has many other applications, as 
for example the decidability of the TCTL model- 
checking [2] (TCTL is the timed extension of the 
logic CTL). However, many problems remain un- 
decidable, as not everything can be reduced to the 
untimed framework. For example, timed automata 
are neither determinizable, nor complementable 


[7]. Checking if a timed automaton is determiniz- 
able (or complementable) is even an undecidable 
problem [42]. An other important example is 
the undecidability of the universality problem for 
timed automata [7]. 


The aim of this tutorial is to give some understand- 
ing of the timed automata model. We will present 
the basic tools which are used in the domain of ver- 
ification of timed systems. In particular, after hav- 
ing presented the model, we will present in details 
the region automata construction. For modeling 
reasons, it is important to have expressive mod- 
els, but it is also important that the models remain 
decidable. We will then present several variants 
or extensions of timed automata, focusing on the 
decidability of reachability properties, and on the 
expressiveness of the models. We will terminate 
this tutorial with some implementation and algo- 
rithmics issues. 


We would like to point out several recent surveys 
on timed automata which present current works 
and results on timed automata with a point of view 
somewhat different from the one adopted in this 
tutorial. A recent survey by Rajeev Alur and Mad- 
husudan P. gives many hints about decidability is- 
sues for timed automata [10]. In [11], Eugene 
Asarin presents the current challenges in timed 
languages theory. 


2 Timed Automata 


If Z is a set, let Z* be the set of finite sequences of 
elements in Z. We consider as time domain T the 
set Q4 of non-negative rationals or the set R4 of 
non-negative reals, and X as a finite set of actions. 
A time sequence over T is a finite non decreasing 
sequence T = (ti)i<i<p E T*. A timed word 
w = (aj, ti)1<i<p is an element of (£ x T)*, also 


written as a pair w = (ø, T), where o = (a; )i<i<p 
is a word in &* and T = (t;)1<i<p a time sequence 
in T* of same length. 


Clock Valuations, Operations on Clocks. We 
consider a finite set X of variables, called clocks. 
A clock valuation over X is a mapping v : X — T 
which assigns to each clock a time value. The 
set of all clock valuations over X is denoted T*. 
Let t € T, the valuation v + t is defined by 
(v +t)(x) = v(x) +t, Va € X. We also use the 
notation (a;)1<i<n for the valuation v such that 
v(a;) = ai. For a subset Y of X, we denote by 
[Y < OJv the valuation such that for each x € Y, 
([Y <— O]v)(~) = 0 and for each z € X \Y, 


Clock Constraints. Given a finite set of clocks 
X, we introduce two sets of clock constraints over 
X. The most general one, denoted C(X), is de- 
fined by the grammar: 


g = Lxc | x—yxc | gg | true 
where x, y € X, c € Zand ME {<, <, =, >, >}. 


We also use the proper subset of diagonal-free 
constraints where the comparison between two 
clocks is not allowed. This set, denoted Cas (X), 
is defined by the grammar: 


g == amc | gg | true, 
where z € X, c € Zand me {<,<,=,>,>}. 


A k-bounded clock constraint is a clock constraint 
which involves only constants c between —k and 
+k. The set of k-bounded (resp. k-bounded 
diagonal-free) clock constraints is denoted C* (X) 
(resp. Che (X)). A constraint of the form x — y > c 
is a diagonal constraint. 


If v is a clock valuation we write v = g when 
v satisfies the clock constraint g and we say that 
v satisfies x X c (resp. x — y X c) whenever 
v(x) x c (resp. v(x) — v(y) & c). If g is a clock 
constraint, we note |g] the set of clock valuations 
{v E TŽ |v E g}. 


Timed Automata. A timed automaton over T is 
a tuple A = (£, Q, T, I, F, X), where X is a finite 
alphabet of actions, Q is a finite set of states, X is 
a finite set of clocks, T C Qx|[C(X)x£x2¥]xQ 
is a finite set of transitions!, J C Q is the subset of 


lFor more readability, a transition will often be written as 


g,a,Y , g,a,Y:=0 pa : 
q ——— q or even as q —————_ qg instead of simply 


the tuple (q, g, a, Y, q’). 


initial states and F' C Q is the subset of final states. 
If all constraints appearing in A are diagonal-free, 
we say that A is a diagonal-free timed automaton. 


A path in A is a finite sequence of consecutive 
transitions: 


P= 91,41,%1 Jp:Ap:Yp 
= q > qı +++ qp—1 > dp 
Ji;Qi,Yi 


where q;-1 ————> q; € T for every 1 <2 < p. 


The path is said to be accepting if it starts in an 
initial state (qo € J) and ends in a final state (qp € 
F). A run of the automaton along the path P is a 
sequence of the form: 


Jp:ap,Yp 


(qo, vo) = (q1, V1) cag (dp, Up) 


T tp 
where T = (ti)ı<i<p is a time sequence and 
(vi)1<i<p are clock valuations such that: 


volz) = 0, Va € X 
vi—1 + (ti — ti—1) F gi 
Vi = [C; e= 0] (vi— + (ti a 


ti-1)) 


The label of the run is the timed word w = 
(a1,t1)...(@p, tp). If the path P is accepting then 
the timed word w is said to be accepted by A. The 
set of all timed words accepted by A is denoted by 
L(A). 


Remark 1 Jn these notes, we only consider finite 
paths and words with finitely many actions, but 
we could consider more general acceptance con- 
ditions (Büchi, Muller, etc...) as well, see [7]. 


Example 1 An example of timed automaton is 
given below. 


xz—y>3,b 


TR 


This timed automaton accepts the timed word 
(a, 4.1)(b, 5.5). An accepting run for this word is 


(€o,(0,0)) + (£1, (41,0) > (b2, (5.5, 1.4)) 


where (4.1, 0) represents the valuation v such that 
v(x) = 4.1 and v(y) = 0. 
3 Reachability Analysis 


For verification purposes, the most fundamental 
properties that one should be able to verify are 
reachability properties: safety properties can for 


example be expressed as reachability properties. 
Usually a class of models is said decidable when- 
ever checking reachability properties in this class 
is decidable. Otherwise this class is said undecid- 
able. For timed automata reachability properties 
we want to check are: “Is state q of timed automa- 
ton A reachable? i.e. is there a run starting in an 
initial state leading to q?” There is no requirement 
as what are the values of the clocks when reaching 
state q. This problem is equivalent to the empti- 
ness problem (from a language-theoretical point of 
view), where the question is whether the language 
accepted by a timed automaton is empty or not. 


The class of finite automata is obviously decidable, 
the reachability problem is even NLOGSPACE- 
complete [36], and efficient methods, symbolic 
techniques, data structures, etc... have been de- 
veloped and implemented [24]. The problem with 
timed automata is that the number of configura- 
tions of a timed automaton is infinite (a config- 
uration is a pair (q,v) where q is a state and 
v a clock valuation). Techniques used for ver- 
ifying finite automata can thus not be used for 
timed automata. Specific symbolic techniques 
and abstractions have to be developed, which take 
into account the specific properties of timed au- 
tomata, in particular the fact that clocks evolve 
synchronously with global time. 


In the following, we will concentrate on the ver- 
ification of reachability properties in timed au- 
tomata, and present the basic technics for solving 
this problem. Of course, in the literature, more 
general properties have been considered. For ex- 
ample, the model-checking of TCTL [2], a timed 
extension of CTL, is decidable in PSPACE, and 
symbolic technics have been developed to effi- 
ciently model-check TCTL [34]. Note however 
that not everything can be reduced to the finite un- 
timed case using the region automaton construc- 
tion: for example, universality of timed automata 
is undecidable [7], and model-checking of most 
linear-time timed temporal logics are undecidable, 
when equality can be used in the constraints [8]. 


4 The Region Abstraction 


The construction we will describe below is due to 
Alur and Dill first in [6]. The aim of this construc- 
tion is to finitely abstract behaviours of timed au- 
tomata, so that checking a reachability property in 
a timed automaton reduces to checking a reacha- 
bility property in a finite automaton. 


4.1 The Region Automaton Construction 
Region Partitioning. Let us fix a finite set of 
clocks X. Let R be a finite partitioning of T*. 
Let C be a finite set of constraints over X. We de- 
fine three compatibility conditions as follows: 


© We say that R is compatible with constraints 
C if for every constraint g in C, for every R in 
R, either [g] € Ror [g] 0 R = 4. 


© We say that R is compatible with elapsing of 
time if for all R and R’ in R, if there exists 
some v € R and t € T such that v + t € R’, 
then for every v’ € R, there exists some t’ € 
T such that v’ + t € R. 


© We say that R is compatible with resets 
whenever for all R and R’ in R, for every 
subset Y C X, if [Y — 0JROR’ F 9, then 
Y -0]RC R. 


If R satisfies these three conditions, we will say 
that R is a set of regions for the set of constraints 
C or simply a set of regions (if C is clear from the 
context). R defines in a natural way an equiva- 
lence relation =p over valuations (v =r v’ iff for 
each region Rof R, v € R <= v’ € R). An 
equivalence class of =, (or equivalently an ele- 
ment of R) is called a region. If v is a valuation 
we note [v]r the region to which v belongs. 


The intuition behind these conditions is the fol- 
lowing: we want to finitely abstract behaviours 
of timed automata. To this aim, we finitely ab- 
stract the (infinite) set of valuations: a valuation v 
will be abstracted by the region [v]r. In order for 
the abstraction to preserve (at least) reachability 
properties, it must be the case that if two valua- 
tions are equivalent, then their future behaviours 
are also equivalent. The three conditions above 
precisely express this property: condition © says 
that two equivalent valuations satisfy the same 
clock constraints, condition ®© says that elapsing 
of time does not distinguish two equivalent val- 
uations whereas condition © says that resetting 
clocks does not distinguish two equivalent valua- 
tions. 


Region Graph. From a set of regions R one can 
define the so-called region graph, which represents 
the possible timing evolutions of the system: the 
region graph is a finite automaton whose set of 
states is R and whose transitions are: 


R—> R’ if R’ isa time successor of R 
R R'if [Y —ORCR 


Intuitively, the region graph records possible timed 
evolutions of the system: there is a transition 
R = R’ if, from every valuation of R, it is possi- 
ble to let some time elapse and reach R’. There is a 
transition R > R’ if, from R, R’ can be reached 
by resetting clocks in Y. 


Example 2 Let us consider the following parti- 
tioning of RE, 


0 
It is easy to verify that R is a set of regions for 


the constraints {y = 1,x = y}. The region graph 
associated with R is represented on Fig. 1. 


time 
elapsing 


Fig. 1: A simple example of region graph 


Region Automaton. Consider a timed automa- 
ton A = (X, Q,T, I, F, X) with set of constraints 
C. Let R be a finite set of regions for C (i.e. a 
partitioning of T¥ satisfying conditions ©, ®© and 
©). The region automaton TR (A) is the finite au- 
tomaton whose set of states is Q x R, whose initial 
states are I x {Ro} (where Ro is the region con- 
taining the valuation assigning 0 to each clock), 
whose final states are F x R and whose transitions 
are defined as follows: 

e there is a transition (£, R) —“> (¢,R’) 


i NNE g,a,Y 
whenever there exists a transition £ == V 


in A with R C [g] and R Æ, R’ transition 
of the region graph 


e there is a transition (£, R) > (¢, R’) when- 
ever R = R’ transition of the region graph 


This automaton somehow simulates the original 
timed automaton: the first type of transitions sim- 
ulates discrete actions (or transitions) whereas the 
second type of transitions simulates elapsing of 
time. 


The fundamental property of this construction is 
the following: 


Proposition 1 Let A be a timed automaton with 
set of constraints C. We assume we can construct 
a set of regions R for C. Then, 


Untime(L,(A)) = L(TR(A)) 


where L(TR(A)) is the (untimed) language ac- 
cepted by 'R(A), and 


Untime((a1, ti)... (ap, tp)) = a1 . . - ap. 


More precisely, whenever in A we can wait some 
delay and do an a, then in 'p(A), we can take 
several €-transitions and then do an a, and vice- 
versa. We will see in section 4.3 that this prop- 
erty naturally expresses in terms of time-abstract 
bisimulation. Checking reachability properties in 
A thus reduces to checking reachability properties 
in T'R(A). As 'p(A) is a finite automaton, we get 
that for every timed automaton A for which we can 
construct a set of regions (satisfying conditions ©, 
© and ®©), we can decide reachability properties 
using the region automaton construction 


4.2 Region Automaton for Classical Timed 
Automata 
We fix for this subsection a finite set of clocks X. 


Sets of regions for diagonal-free constraints. 
Let M be an integer. We define the following par- 
titioning of T*. Let v and v’ be two valuations 
of TŽ, we say that v =} v’ if all three following 
conditions hold: 


e v(x) > M iff v'(x) > M foreach z € X, 


e if v(x) < M, then |v(x)| = |v’(x)]| and 
({v()} = 0 iff {v'(2)} = 0) for each « € 
X, and 


e if u(x) < M and v(y) < M, then {v(x)} < 
{u(y)} iff {v (x)} < {v’(y)} for all x, y € 
As 

The relation = y is an equivalence relation of finite 

index. The partitioning RY (X) is then defined as 

the set of equivalence classes of TX /=M- Fig. 2 


explains the region construction for two clocks. 


0 1 2 £ 
(a) Partition compatible with con- 
straints, not with time elapsing (the two 
points è and x can not be equivalent) 


l i region defined by: 


l<ar<2 
l<y<2 


{x} < {y} 


(b) Partition compatible with con- 
straints, time elapsing (and resets) 


Fig. 2: Diagonal-free region partitioning for two 
clocks and maximal constant 2 


It is easy to prove (and left as an exercise) the fol- 
lowing lemma: 


Lemma 1 The partitioning RY (X) is a set of re- 
gions for the constraints Cif (X). 


Roughly counting all possible combinations 
above, we can bound the number of regions in 
R(X) by 2X1. X]|!(2M + 2)/¥! where |X] is 
the cardinal of X. 


Sets of regions for general constraints. Recall 
that the difference between diagonal-free clock 
constraints and general clock constraints stands in 
the fact that diagonal constraints (i.e. constraints 
of the form x — y & c) can be used. An easy ex- 
tension of the previous construction can be done. 
We do not define it formally here, but only give a 
simple example with two clocks, see Fig. 3. 

This set of regions is denoted R“ (X), and its 
cardinal can roughly be bounded by (2M + 


m region defined by: 


2<2 
l<y<2 


l<a2-y<2 


Fig. 3: Set of regions for 2-bounded general con- 
straints with two clocks 


2 x . . 
2)(XI+)" | Note that this set of regions is also cor- 
rect for M-bounded diagonal-free constraints. 


Region automata for classical timed automata. 
Let A be a timed automaton with set of clocks X. 
Let M be the maximal constant involved in one 
of the constraints of A, the set RM (X) is a set 
of regions for A. From the results of the previous 
subsections, we get the following theorem, due to 
Alur and Dill [6, 7], which is the core of the veri- 
fication of timed systems. 


Theorem 1 (Alur & Dill 90’s) Reachability (or 
equivalently emptiness) is decidable for timed 
automata. lt is a PSPACE-complete problem 
(for both diagonal-free as well as general timed 
automata). 


Although this theorem has been first proved in [7], 
the proof we choose to sketch is taken from [1], 
where it is written in details. 

Proof. [Sketch] PSPACE membership is easy: the 
size of th region automaton is exponential in 
the size of the original automaton. Using the 
NLOGSPACE complexity of the reachability prob- 
lem in classical untimed graphs, we get that reach- 
ability in timed automata can be done in PSPACE. 
PSPACE-hardness can be proved by reducing the 
termination of a linearly bounded Turing machine 
(LBTM for short) on some input to reachability in 
timed automata. The encoding is done as follows: 
assuming the alphabet is {a, b}, the content of cell 
C; of the track of the LBTM is encoded by two 
clocks x; and yj. Cell Cj contains an “a” when 
the constraint x; = y; holds, and cell C} contains 
a “b” when the constraint x; < yj holds. Note that 
these two conditions are invariant by time elaps- 
ing. 


{£j Yj} 


If q 222. q is a transition of the LBTM, then 
for each position 2 of the tape, there will be a tran- 
sition (q, 2) as (q’, 2’) where: 
e gis x; = yi (resp. xi < y;) if a = a (resp. 
a=b) 


e Y = {xi yi} esp. Y = {xi} ifa =a 
(resp. a = b) 


e i' = i + 1 (resp. i’ = i — 1) if ô is right and 
i < n (resp. left) 


We need to enforce time elapsing; this can be done 
by adding a clock t which is checked to 1 and reset 
to 0 on all transitions. Initially the track contains 
the encoding of the word wo. This can be done 
by a transition from a state “init” to (qo, 1) where 
qo is the initial state of the LBTM, which checks 
whether t = 1, and resets clocks in Yo where Yo = 
{t} U {x; | wolt] = b}. The computation over 
wo of the LBTM terminates iff there is a run from 
state “init” to some state (qf, i) where qp is the 
final state of the LBTM. 


Note that the above encoding uses diagonal con- 
straints, but as will be seen later (see section 5.1), 
there is no need of these diagonals. A direct but 
more involved construction without diagonals can 
be found in the appendix of [1]. 


Remark 2 Note that sets of regions we have de- 
scribed could be refined: there is no need to have 
the same maximal constant for all clocks, one max- 
imal constant for each clock could be used. How- 
ever, for our purpose here, there is no need for such 
a refinement. 


4.3 Interpretation in Terms of Finite Bisimu- 
lation 

With what has been presented before, conditions 

©, © and © (compatibility of the set of regions 

with constraints, time elapsing and resets) have 

a natural interpretation in terms of time-abstract 

bisimulation. 


Timed transition system associated with a 
timed automaton. We have defined the seman- 
tics of a timed automaton as runs or timed words. 
We could have defined its semantics as a timed 
transition system as well. Transition systems (thus 
in particular timed transition systems) are more 
suitable for behavioural comparisons of systems. 

Let A = (£, Q,T, I, F, X) be a timed automaton. 
The timed transition system associated with A has 


Q x TŽ for set of states and its transition relation 
is defined by the two following rules: 


(£,v) E (£,v +d) foreveryd ET 
if there is € 225 V s.t. 
v = g, v' = [Y — 0w 


Time-abstract bisimulation. Time-abstract 
bisimulation could be defined for two timed au- 
tomata, but for our purpose, we follow the lines of 
[22] and define time-abstract bisimulation on a sin- 
gle timed automaton. Let A = (£, Q,T,I, F, X) 
be a timed automaton (over alphabet X). We 
say that a relation =C (Q x T*) x (Q x T*) 
is a time-abstract bisimulation whenever it is 
an equivalence relation satisfying the following 
conditions: 


e if (C1, 01) — (l2, v2) and (£1, 1) ey 
(l1, v1 + dı) for some d; € T, then there ex- 
ists d2 € T such that (£2, v2) ay (l2, 02 + 
dz) and (£1, v1 + d1) = (l2, v2 + d2) 


e if (£1, v1) = (l2, V2) and (£1, 1) its 
(¢,,v;), then there exists (44, v4) such that 
(£2, v2) + (63, 03) and (41,01) = (4,0) 


e and vice-versa. 


By definition, such a relation is an equivalence re- 
lation, and as such, = is said to have a finite in- 
dex whenever there are finitely many equivalence 
classes. Informally, from two equivalent config- 
urations, it is possible to do the same discrete ac- 
tions and/or to wait some amount of time (possibly 
different in the two configurations) and stay equiv- 
alent. 


Relation with the region automaton construc- 
tion. 


Proposition 2 Let A be a timed automaton and 
R a set of regions for the constraints in A. The 
relation {((£, v), (£,v)) | [ule = [v'] Rr} is a time- 
abstract bisimulation with a finite index. 


Time-abstract bisimulation appears indeed as the 
right notion corresponding to the region automa- 
ton construction and formally justifies everything 
which has been explained previously. It proves 
more precisely that the region automaton construc- 
tion can be used to verify all properties that are 
invariant by time-abstract bisimulation, e.g. reach- 
ability properties, safety properties, many untimed 


properties. However, notice that we can not use 
directly this construction to verify properties ex- 
pressed in a timed logic like TCTL because a prop- 
erty like “reaching a state in exactly 5 units of 
time” is not invariant by time-abstract bisimula- 
tion. For these properties a more involved con- 
struction is needed which adds a clock for the for- 
mula, and then construct a region automaton tak- 
ing into account this additional clock. We do not 
develop this construction here but better refer to 
original articles on the subject [2]. 


The converse of Proposition 2 also holds and it 
can be used to prove decidability of timed sys- 
tems: if for a timed system we can compute a 
time-abstract bisimulation relation with a finite in- 
dex, then reachability (and other time-abstract in- 
variant properties) can be decided using a region 
automaton-like construction. Examples of such 
constructions can for example be found in [29, 22]. 


4.4 Partial Conclusion 

Timed automata are an interesting model for rep- 
resenting systems with real-time constraints. De- 
spite the infinite number of possible configurations 
of a timed automaton, model-checking of reacha- 
bility properties has been proved decidable. This is 
probably the most fundamental property of timed 
automata, which has been proved at the beginning 
of the 90’s by Alur and Dill, and which is the start- 
ing point of numerous works on timed models. We 
have presented in this section the basics of the de- 
cidability of timed automata, which relies on a re- 
duction to finite automata: this is fundamental for 
most of the works on timed systems. It is however 
worth to notice that not everything can be reduced 
to the finite automata case. For example (see [7] 
and also [42]), 


e universality (the dual of reachability) is an 
undecidable problem; 


e the class of timed languages accepted by 
timed automata is not closed under comple- 
mentation; 


e not all timed automata can be determinized, 
and, in addition, the problem of deciding 
whether a timed automaton can be deter- 
minized is an undecidable problem; 


These problems will not be tackled in this tutorial, 
but we refer to [10] for a survey of (un)decidability 
results about timed automata. 


In the rest of this tutorial, we will mostly con- 
sider extensions (or variants) of timed automata 


and study decidability of these models, and we will 
also concentrate on algorithmics and implementa- 
tion aspects. We hope this should help better un- 
derstanding timed behaviours and timed models. 


5 Extensions of Timed Automata 


For representing real-life systems, it is much con- 
venient to have expressive and easy-to-use models. 
We will present in this section several extensions 
(or variants) of timed automata, and will focus on 
the decidability of their reachability problem. We 
will also give some expressiveness results. 


A class of systems S is said strictly more expres- 
sive than a class of systems S’ whenever there ex- 
ists S in S such that no 9’ in S’ accepts the same 
language as S, and for every system S’ in S’, there 
exists S in S which recognizes the same language 
as S’. A class of systems S is as expressive as S' 
whenever for every S in S, there exists S’ in S’ 
which accepts the same language as S. 


5.1 Role of Diagonal Clock Constraints 
Diagonal constraints (i.e. clock constraints of the 
form x — y & c where x, y E X, c € Zand 
XKE {<, <, =, >, > }) have been first mentioned 
in the seminal paper of Alur & Dill [7], and are 
often considered as part of the model of timed au- 
tomata. We have seen in previous section that di- 
agonal constraints do not add any decidability and 
complexity problems to the model. 


It was known as a folklore result that diagonal con- 
straints can be eliminated from timed automata, 
and thus that they do not add expressive power to 
timed automata. A formal proof of this result has 
been done in [15]. 


Proposition 3 For every timed automaton A, pos- 
sibly with diagonal constraints, there exists a 
timed automaton B, with only diagonal-free con- 
straints, which recognizes the same language. 
Note that B is strongly bisimilar? to A. 


This construction leads to an exponential (in the 
number of diagonal constraints) blowup of the 
number of states of the automaton, and this blowup 
is unavoidable as timed automata with diagonal 
constraints are exponentially more succinct than 
diagonal-free timed automata [19]. 


2Which means they are bisimilar (in a classical way) for 
actions taken in X U T: if a system can do action, then so can 
also the other system, and if a system can wait d units of time, 
then so can also the other system. 


5.2 Adding Silent Actions 

For finite automata, it is well-known that silent ac- 
tions (also known as €-transitions or internal ac- 
tions) do not add expressive power to finite au- 
tomata and that they can be eliminated with no 
blowup in the number of states of the automaton. 
Silent actions in timed automata have been studied 
in details in [15], and the situation is far from the 
one in the untimed framework. 


A first (easy) fact is that the region automaton con- 
struction can be done in a similar way when there 
are silent actions, we thus get: 


Proposition 4 The reachability problem is decid- 
able for timed automata with silent actions. The 
complexity is also PSPACE-complete. 


However, and this is at first surprising, silent ac- 
tions can not be removed, as it is the case for clas- 
sical finite automata. 


Theorem 2 Timed automata with silent actions 
are strictly more expressive than classical timed 
automata. 


Several examples are given in [15]. Among them, 
there is the language L = {(a,t1)...(a,ti)--> | 
Vi, i mod 2 = 0}. This timed language is rec- 
ognized by the following automaton but is recog- 
nized by no timed automaton without silent ac- 
tions. 


Proofs of non-expressivity by a classical timed au- 
tomaton are always ad-hoc as there is no real cri- 
terion for a timed language to be recognized by 
a classical timed automaton. However a sufficient 
criterium is given in [15]: let A be a timed automa- 
ton possibly with silent actions; if, in A, there is no 
loop in which a clock is reset on an €-transition, 
then ¢-transitions can be removed from A, and 
we can construct a timed automaton B without £- 
transitions which recognizes the same language. 


5.3 Adding Additive Clock Constraints 

We have seen that diagonal constraints can be used 
safely in timed automata. A natural idea is then to 
consider clock constraints of the form x + y ^< c. 
Such a constraint will be called an additive clock 
constraint. The model of timed automata which 


uses classical constraints and additive clock con- 
straints has been studied in [16]. 


Two clocks. For timed automata with two 
clocks, a region construction can be done. We will 
not define it precisely here but the region partition- 
ing when the maximal constant is 2 is illustrated 
on Fig. 4. The general case can be easily deduced 
from this representation. 


Fig. 4: Region partitioning for additive clock con- 
straints (two clocks) 


Proposition 5 The reachability problem for timed 
automata with at most two clocks and possibly ad- 
ditive clock constraints is decidable. 


The language L* represented on Fig. 5 is accepted 
by a timed automaton with two clocks and addi- 
tive clock constraints but is accepted by no timed 
automaton with classical clock constraints. 


x+y=l,a,x:=0 


L* = {(a",t1...tn) |n > landt; =1- 4} 


Fig. 5: A language which needs additive clock 
constraints 


Four clocks or more. The following result holds 
for timed automata with four clocks or more, and 
additive clock constraints: 


Theorem 3 The reachability problem is undecid- 
able for timed automata with four clocks or more, 
and additive clock constraints. 


This undecidability result is rather involved and is 
by reduction from the halting problem of a two 
counter machine [39]. The proof can be found 
in [16]. 


What about three clocks? The region graph 
construction done for two clocks does not extend 
to three clocks. Using the characterization of re- 
gions using time-abstract bisimulation, it has been 
proven in [41] that there is no finite partitioning 
satisfying the conditions ©, @ and @ as soon as 
there are three clocks (x, y and z) and constraints 
{xz +y = 1,x = 0, z = 1} are used. However the 
reduction presented above (for proving undecid- 
ability of reachability checking in timed automata 
with four clocks and additive clock constraints) 
can not be adapted if we allow only three clocks. It 
is still an open problem to know if the reachability 
problem for timed automata with three clocks and 
additive clock constraints is decidable or not. 


5.4 Adding New Operations on Clocks 
Up to now, we can only reset clocks to zero. 
In [20], models using more general updates 
have been studied. In the model of updatable 
timed automata, a transition is of the form 
g 2R, 2 where g is a clock constraint, a 
is an action and up is an update, i.e. for each 
clock x, an operation Up, of the form x :™ c 
or x :X y + c where c € Z, y is a clock, and 
me {<, <, =, >, >}. Let us take two valuations 
v and v’. We have that v’ € up(v) whenever for 
each clock x, v'(x) € up,(v), where up, (v) = 
{ {a | arc} if Up,.(v) is £ dc 
{a|amu(y) +c} ifup,(v) isa :x y+ c 
For example, it is possible to decrement the 
value of a clock by 1, or to set a clock non- 
determiniscally at a value less than 2. 


This model is very general and it is easy to prove 
that the reachability problem is not decidable for 
the whole class of updatable timed automata, by 
reducing the computation of a two counter ma- 
chine to the computation of an updatable timed 
automaton (decrementation (resp. incrementation) 
of counters are simulated by decrementation (resp. 
incrementation) of clocks). In [20], tighter unde- 
cidable classes and several decidable classes are 
described. We will not enter into details here, 
but will present two undecidability proofs and de- 
scribe one decidable class. 


Decrementing clocks leads to undecidability. 
We now sketch the reduction from a two counter 
machine to updatable timed automata with resets 
to zero and decrementation. Let us consider a two 
counter machine M with the two counters c and 
d. We will construct a timed automaton A (with 
decrementations and resets to zero) such that the 


computation of M terminates if and only if a given 
state of A is reachable. The value of counter c 
(resp. counter d) is encoded by the value of clock 
x (resp. clock y). An additional clock z is used 
to rhythm the computation of automaton A. In- 
crementation (and decrementation) of counters are 
simulated as follows. 


e Incrementation of counter c. 


For incrementing counter c, we let time 
elapse during one unit of time. The two 
clocks x and y thus increase by 1. It is then 
sufficient to decrease clock y by 1: the value 
of x in Z is equal to the value of x in £ plus 
1 whereas the value of y in £’ is equal to the 
value of y in £. This correctly encodes an in- 
crementation of c by 1. 


e Decrementation of counter c. 


An explanation similar to the one for decre- 
mentation can be done. 


Incrementing clocks also leads to undecidabil- 
ity as soon as diagonal constraints are used... 
From the previous reduction, it is sufficient to be 
able to simulate the part of the automaton which 
is framed with dashed lines, thus to decrease the 
value of a clock (say x) by 1. 


w:=w+1 g:=2+1 


z=0, w:=0 z-w=1,2:=0 


r=w,z=0 © 


It is easy to see that this module simulates an in- 
crementation. 


... but remains decidable when no diagonal con- 
straints are used. We will see that the usual 
(diagonal-free) region partitioning is correct when 
also using incrementation of clocks. However this 
requires a more involved explanation. Indeed, the 
three conditions ©, ®© and ®© are no more suffi- 
cient because more general operations on clocks 
are used. More precisely, we need to replace con- 
dition © by the following condition (where œR is a 
finite partitioning of the set of valuations, and M is 
a finite set of updates): 


@’ We say that R is compatible with updates in 
U whenever for all R, R’ € R, foreachup € 
U,if for some valuation v € R, up(v) NR’ F 
Ø, then for every valuation v’ € R, up(v’) N 
RFQ. 


It is just an extension of Proposition 1 to prove that 
if, for a finite set of constraints C and a finite set of 
updates U, we can construct a set of regions satis- 
fying conditions ©, © and @’, then the region au- 
tomaton construction can be used to verify reach- 
ability (or more generally time-abstract invariant) 
properties. 


Let us fix a finite set C of diagonal-free constraints, 
and a finite set of updates U of the form x := y +c 
and possibly some resets of clocks. If the system 
of inequations 


{ar > c| (x c)isinC} 
U {az < ay +c] (x :=y+ce)isinU} 


has a solution (My )zex, then the diagonal-free set 
of regions where the maximal constant for x is 
Mg satisfies the three above-mentioned conditions. 
Note that if only updates of the form x := x + 1 
are authorized then, as claimed before, the usual 
region partitioning is correct (because constraints 
Qr < a, + 1 are trivially true). 

However the usual region partitioning needs some- 
times to be refined a little bit. Consider the follow- 
ing example: the maximal constant to which the 
two clocks x and y are compared is 2, both resets 
of x and y are allowed, and the more elaborated 
update y := x — 1. The system of inequations is 
{ar > 2, Qy > 2, Qy < az — 1}. It has a solution, 
eg Q; = 2 and a, = 3. We explain the intuition 
behind these conditions on Fig. 6. 

Updatable timed automata have been studied in 
details in [20], where the precise frontier be- 
tween decidable and undecidable subclasses has 
been depicted: among other results, when only 
diagonal-free constraints are used, decrementation 


0 1 2 x 


(a) Classical partitioning not compatible with y := x — 1 


0 4 2 3 zr 


(b) Set of regions satisfying conditions ©, © and ®’. 
Fig. 6: Partitioning for updates y := x — 1 


of clocks leads to undecidability whereas incre- 
mentation leads to decidability, which may appear 
as a surprising result. It has also been proved that 
for every updatable timed automaton belonging to 
some decidable subclass, we can construct a timed 
automaton with silent actions (but with an expo- 
nential complexity blowup) which recognizes the 
same timed language. 


5.5 Partial Conclusion 

We have shortly presented in this section several 
extensions and variants of timed automata, hav- 
ing in mind the decidability of reachability check- 
ing. Many other extensions or subclasses could 
have been presented as well, for example timed 
automata with modulo constraints [23], or timed 
automata with event-predicting or event-recording 
timed automata [9, 35]. 


Historically, (linear) hybrid automata [30, 32] have 
not been defined and studied as an extension of 
timed automata, but they can be viewed as such. 
A hybrid automaton is roughly a timed automaton 
where variables (instead of clocks) grow in every 
state following some differential equation. Lin- 
ear hybrid automata are particular hybrid automata 
where variables evolve following linear differen- 
tial equations. As soon as a variable has two differ- 
ent slopes, the hybrid automata model is undecid- 
able [32]. In particular, stopwatch automata, i.e. 
timed automata in which clocks can be stopped, 
are undecidable. However, a decidable subclass 
has been exhibited, the so-called initialized rectan- 
gular automata. Hybrid automata are a very inter- 


esting model which would require a whole tutorial 
in itself. We better refer to [40] for an introduction 
to this model. 


6 Algorithmics & Implementation 


In practice the region automaton construction is 
not used in tools. Algorithms for “minimizing” the 
region automaton have been proposed for example 
in [3, 4, 43]. However in practice on-the-fly tech- 
nics are preferred. 


6.1 Reachability Analysis: Two Methods 

There are two main families of (semi-)algorithms 
for analyzing reachability properties of systems 
(not only timed systems, but all kinds of systems). 


Forward analysis. The general idea of forward 
analysis is to compute configurations which are 
reachable from initial configurations within 1 
steps, 2 steps, etc... until final states are reached 
or until the computation terminates. 


Backward analysis. The general idea of back- 
ward analysis is to compute configurations from 
which we can reach final configurations within 1 
step, 2 steps, etc... until initial configurations are 
reached or until the computation terminates. 


These two generic approaches are used for many 
models, for example counter machines, hybrid sys- 
tems, etc... Of course, given a class of systems, 
specific technics (e.g. abstractions, widening oper- 
ations, etc...) can be used for improving the com- 
putation. We will study how these approaches can 
be used for verifying timed automata. 


6.2 Reachability Analysis in Timed Au- 
tomata: Zones 
We need now to look carefully at how the above- 
mentioned general methods can be used for veri- 
fying timed automata. In particular, as timed au- 
tomata have an infinite number of configurations, 
we need to use symbolic representations for doing 
the computation. Given a transition e of a timed 


œY 
automaton 0 <25, ¢’ , we need to be able to com- 
pute, given a set W of valuations, both sets 


{v |w eEWJtET s.t. v = [Y — 0] (v + t)} 


{v| w EW HeT s.t. [Y —O](u+t) =v} 


It is worth to notice that if the forward computation 
starts in an initial state with all clocks initialized to 


0 or if the backward computation starts from the 
final states with clocks set to any value (which is 
sufficient as we are only interested in reachabil- 
ity of discrete states), sets of valuations which are 
computed are zones, i.e. sets of valuations defined 
by a general clock constraint. Recall that general 
clock constraints are defined by the grammar: 


gu=amc|a—yme|gAg 


where c € Z, mE {<,<,=,>,>} and x, y 
are clocks. A clock constraint g defines a zone 
[lg] = {v € T* | v H ¢}. For analyzing timed 
automata, zones are the symbolic representation 
which is commonly used. For implementing for- 
ward and backward analysis, we need to be able to 
perform several operations on zones. From what 
has been said before, these operations are the fol- 
lowing (Z and Z’ are supposed to be zones): 


- Future of Z: Z ={v+t|ve ZandteT} 
- Past of Z: Z ={v—t|ve Zandt €T} 


- Intersection of Z and Z': ZN Z' = {v| ve 
Zand v € Z'} 


- Reset to zero of Z w.r.t. set of clocks Y: |Y — 
0]Z = {[Y — Ov |v € Z} 


- Inverse reset to zero of Z w.rt. set of clocks 


Y: [Y —0]-1Z = {v | [Y — O]u € Z} 
- Test emptiness of Z: decide whether Z = Q 


Using these operations, the basic steps of the 
forward and the backward computations can be 
rewritten as: 


o = [Y —0(Z N [g]) 


È 


Pree(Z) = [Y — 0] (ZN [Y =0]) ^ [g] 


6.3 The DBM Data Structure 

For representing zones, the most common data 
structure which is used is the so-called DBM 
data structure (where DBM stands for “Difference 
Bounded Matrice”). This data structure has been 
first introduced in [17] and then proposed in the 
framework of timed automata in [28]. Several pre- 
sentations of this data structure can be found in the 
literature, for example in [24, 14, 18]. 


A difference bounded matrice (say DBM for short) 
for a set X = {z1, . . . , £n } of n clocks is an (n + 
1)-square matrice of pairs 


(m; ~) € V = (Zx {<, <}) U {(o; <)}. 


A DBM M = (mij, sihis defines the fol- 
lowing subset of T” (the clock xo is supposed to 
be always equal to zero, i.e. for each valuation v, 
v(zo) = 0): 


{v:X >T |VYi, j, v(ai) — vlz) ij Mij} 


where y < oo simply means that y is some real 
without bound. This subset of T” is a zone and 
will be denoted, in what follows, by [M]. In what 
follows, to simplify notations, we will assume that 
all constraints are non-strict, so that coefficient of 
DBMs will be elements of Z U {co}. 


Example 3 Consider the zone defined by the con- 
straints (xı > 3) A (a2 <5) A (z1 — a2 < 4). 
This zone, depicted below on the right, can be rep- 
resented by the DBM below (on the left). 


Hy Ti T2 5 
£o co —3 œ 
Ly CO 00O 4 9 
LQ 5 œ Ww 


34 9 


A zone can have several representations using 
DBMs. For example, the zone of the previous 
example can equivalently be represented by the 
DBM 


0 -3 0 
9 0 4 
5 2 0 


A normal form can be defined on DBMs, which 
tightens all possible constraints. This can be done 
using a Floyd algorithm on the matrice (viewed 
as a weighted graph). A zone has a unique rep- 
resentation as a DBM in normal form. Tests like 
emptiness checking, or comparison of zones can 
then be done syntactically on the DBMs in normal 
form. For example, a zone Z is included in a zone 
Z’ if the DBM in normal form representing Z is 
smaller than the DBM in normal form represent- 
ing Z’. Finally all operations on zones described 
in section 6.2 can easily be done on the DBMs, 
details can be found in all mentioned papers on 
DBMs. 


Let us just mention that the DBM data structure is 
the most basic data structure which is used for an- 
alyzing timed systems, some more involved BDD- 
like data structures can also be used, for example 
CDDs (which stands for “Clock Difference Dia- 
grams’’) [37]. 


6.4 Backward Analysis 

Let A = (%,Q,T,1I,F,X) be a timed automa- 
ton. Backward analysis then consists in com- 
puting the following sets of symbolic configura- 


tions: So = {(f,T*) | f € F}, and iteratively 


Spa = {(6 2) | Fe = (£ #5 eae, Z") € 


Sp $-t. Z = Pre,(Z’)}, ... 


Theorem 4 The backward computation termi- 
nates and is correct w.r.t. reachability, i.e. if a 
state is found reachable by the computation, then 
it is really reachable. 


Correctness is immediate as the computation is ex- 
act (as opposed to over-(or under-)approximate). 
Termination needs some additional argument, re- 
lated to properties of the region partitioning asso- 
ciated with timed automata. The termination proof 
then relies on the following lemma, which can be 
proved as an exercise. 


Lemma 2 Let A be a timed automaton and let 
R be a set of regions satisfying conditions ©, © 
and ® (for A). Consider a finite union of regions 
Ui- Ri (with Ri E€ R for 1 < i < p). Then the 
following holds: 


eee 
- Ui Riis a finite union of regions 


- [Y — 07t (URL, Ri) is a finite union of re- 
gions (for any set of clocks Y ) 


- g N (UF Ri) is a finite union of regions if g 
is a constraint of A (thus compatible with R) 


Backward analysis thus appears as a very interest- 
ing method for analyzing timed systems. However, 
in practice, most commonly used tools (for exam- 
ple UPPAAL) prefer using a forward analysis pro- 
cedure. A natural question then arises: what’s the 
problem with backward analysis? It comes from 
the fact that the use of bounded integer variables 
really improves and eases the modeling of real sys- 
tems. Backward analysis is then not suitable for 
arithmetical operations: for example if we know 
in which interval lies the variable ¿ and if we know 
that 2 is assigned the value j.k + l.m, it is not easy 
to compute the possible values of variables j, k, 
£, m (apart from listing all possible tuples of val- 
ues). For this kind of operations, forward analysis 
is much more suitable. 


6.5 Forward Analysis 

Let A = (%,Q,7,1,F,X) be a timed automa- 
ton. Forward analysis then consists in comput- 
ing the following sets of symbolic configurations: 


So = {(i,0) | i € I}, and then iteratively 
Spi = {(2,2') | Fe = (£ 22% 0) I4, Z) € 
Sp s.t. Z! = Post.(Z)}, ... The forward analy- 
sis gives a correct answer (if it gives an answer), 
but may not terminate. An example of automaton 
where the forward computation does not terminate 
is given on Fig. 7. The zones which are computed 
are represented on the right part of the figure, and 
it is easy to check that the computation will never 
terminate. 


Fig. 7: Forward computation does not always ter- 
minate... 


To overcome this problem, it is necessary to use 
some abstractions, several are proposed in [26]. 
For example, if Z and Z’ are computed for the lo- 
cation £, zones are replaced by the smallest zone 
containing both Z and Z’: this approximation is 
called the “convex-hull’?, it does not ensure ter- 
mination and is only semi-correct w.r.t. reachabil- 
ity in the sense that a state which is announced as 
reachable may not be reachable. The most inter- 
esting abstraction studied in this paper is the ex- 
trapolation operator. 


The extrapolation operator. The abstraction 
operator which is commonly used is called extrap- 
olation, and sometimes normalization [14]. We 
will note it here Approx,, it is defined up to a con- 
stant k as follows: if Z is a zone, Approx,(Z) is 
the smallest k-bounded zone* which contains Z. 
This operation is well-defined on DBMs: if M is 
a DBM in normal form representing Z, a DBM 
representing Approx;,(Z) is M’ where each coef- 
ficient less than —k is replaced by —k and all coef- 
ficients greater than k is replaced by ++00, all other 
coefficients remain unchanged. 


Example 4 Consider the zone M of Example 3. 
Its extrapolation w.r.t. 2 is the following DBM: 


0 -2 0 
Approx, (M) = 9 0 +00 
+œ 2 0 


3It is a language abuse, because it is not reaaly the convex 
hull of the two zones, but it is the smallest zone containing the 
convex-hull of the two zones. 

4A k-bounded zone is a zone defined by a k-bounded clock 
constraint. 


E jv] 
i | [Approx, (M)] 
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Obviously, 


e Approx, is a finite abstraction operator be- 
cause there are finitely many DBMs whose 
coefficients are either +00 or some integer 
between —k and +k 


e the computation of Approx, is effective and 
can be done easily on DBMs 


e Approx, is a complete abstraction w.r.t. 
reachability because for every zone Z, Z C 
Approx; (Z) 


The only problem stands in the correctness of 
Approx, w.r.t. reachability: we have to find a con- 
stant k such that this abstraction operator will be 
correct w.r.t. reachability. 


Theorem 5 Let A be a diagonal-free timed au- 
tomaton. Take k the maximal constant appearing 
in the constraints of A. Then Approx, is correct 
w.r.t. reachability in A. 


Two different proofs of this theorem can be found 
in [18] and [12]. Note that this theorem does not 
extend to timed automata with general clock con- 
straints. See [18] for a counter-example, and [21] 
for a solution to the problem. 


6.6 Tools for Timed Systems 


Several tools implement timed (and hybrid) au- 
tomata. 


e HYTECH [31] is a model-checker for lin- 
ear hybrid automata. Exact backward and 
forward computations can be done, reach- 
ability properties can thus be checked (but 
there is of course no guarantee the computa- 
tion will terminate). Many other operations 
on polyhedra can be performed, for exam- 
ple hiding of variables (corresponding to pro- 
jections), “while” loops, emptiness checks, 
etc... HYTECH, which has been developed in 
Berkeley (USA), can be downloaded on 


http: //www-cad.eecs.berkeley.edu: 
80/~tah/HyTech/ 


e KRONOS [25] is a model-checker for timed 
automata. Exact as well as abstract backward 
and forward computations can be done. A 
backward procedure for the logic TCTL [2] 
is also implemented [34]. The tool KRO- 
NOS, which has been developed in Grenoble 
(France), can be downloaded on 


http://www-verimag.imag.fr/ 
TEMPORISE/kronos/ 


e UPPAAL [38] is a model-checker for timed 
automata which performs forward analysis 
with extrapolation. It can verify reachabil- 
ity properties of timed systems with some 
extra features as bounded integer variables 
and broadcast channels. The tool UPPAAL, 
which is jointly developed in Aalborg Univer- 
sity (Denmark) and Uppsala University (Swe- 
den), can be downloaded on 


http://www.uppaal.com/ 
7 Conclusion 


In this tutorial we have presented the basic model 
of timed automata, introduced at the beginning of 
the 90’s by Rajeev Alur and David Dill [7]. One 
of the most important and most fundamental con- 
struction which is used in this domain is the region 
automaton construction: it finitely abstracts be- 
haviours of timed automata into behaviours of fi- 
nite automata, which allows to model-check many 
properties: although we only presented how reach- 
ability properties could be checked, properties in 
TCTL can also be verified using a region-like con- 
struction [2]. We have also presented several ex- 
tensions of timed automata, concentrating on the 
decidability of the model-checking of reachability 
properties. 


There are so many works which have been devoted 
to timed systems in general, and timed automata in 
particular, that it is hopeless to present the whole 
theory of timed automata in a single tutorial. The 
current tutorial presents some results on timed au- 
tomata, focusing on the decidability of reachability 
properties and on implementation issues for veri- 
fying such properties. 
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